securitycontext

package
v1.16.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 9, 2022 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Overview

Package securitycontext contains security context api implementations

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddNoNewPrivileges

func AddNoNewPrivileges(sc *v1.SecurityContext) bool

AddNoNewPrivileges returns if we should add the no_new_privs option.

func ConvertToRuntimeMaskedPaths

func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default masked paths.

func ConvertToRuntimeReadonlyPaths

func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default readonly paths.

func DetermineEffectiveSecurityContext

func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext

DetermineEffectiveSecurityContext returns a synthesized SecurityContext for reading effective configurations from the provided pod's and container's security context. Container's fields take precedence in cases where both are set

func HasCapabilitiesRequest

func HasCapabilitiesRequest(container *v1.Container) bool

HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils

func HasPrivilegedRequest

func HasPrivilegedRequest(container *v1.Container) bool

HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils

func ValidInternalSecurityContextWithContainerDefaults

func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext

ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

func ValidSecurityContextWithContainerDefaults

func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext

ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

Types

type ContainerSecurityContextAccessor

type ContainerSecurityContextAccessor interface {
	Capabilities() *api.Capabilities
	Privileged() *bool
	ProcMount() api.ProcMountType
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	ReadOnlyRootFilesystem() *bool
	AllowPrivilegeEscalation() *bool
}

ContainerSecurityContextAccessor allows reading the values of a SecurityContext object

func NewContainerSecurityContextAccessor

func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor

NewContainerSecurityContextAccessor returns an accessor for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextAccessor

func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor

NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values for the provided pod security context and container security context

type ContainerSecurityContextMutator

type ContainerSecurityContextMutator interface {
	ContainerSecurityContextAccessor

	ContainerSecurityContext() *api.SecurityContext

	SetCapabilities(*api.Capabilities)
	SetPrivileged(*bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetReadOnlyRootFilesystem(*bool)
	SetAllowPrivilegeEscalation(*bool)
}

ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object

func NewContainerSecurityContextMutator

func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator

NewContainerSecurityContextMutator returns a mutator for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextMutator

func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator

NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values for the provided pod security context and container security context

type PodSecurityContextAccessor

type PodSecurityContextAccessor interface {
	HostNetwork() bool
	HostPID() bool
	HostIPC() bool
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	SupplementalGroups() []int64
	FSGroup() *int64
}

PodSecurityContextAccessor allows reading the values of a PodSecurityContext object

func NewPodSecurityContextAccessor

func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor

NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.

type PodSecurityContextMutator

type PodSecurityContextMutator interface {
	PodSecurityContextAccessor

	SetHostNetwork(bool)
	SetHostPID(bool)
	SetHostIPC(bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetSupplementalGroups([]int64)
	SetFSGroup(*int64)

	// PodSecurityContext returns the current PodSecurityContext object
	PodSecurityContext() *api.PodSecurityContext
}

PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object

func NewPodSecurityContextMutator

func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator

NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL